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The Amazing Air Gap... 
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What is an Air Gap? 

• A physical gap between the control network and the 
business network 



Office Network 



man GSH 



Plant Network 




© Byres Security inc. 



!□ 



□□ QD 




i ■ r in 1 1 i ■ r i i i n i - r mn 
I I I II I I I I I I II I II 

— I — ii I — I — ii I — I — ii 



TOFINO 



Why is An Air Gap an Attractive Idea? 

1 . Digital information cannot cross a physical gap 

2. Bad things will never get into control systems 
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Who Believes in Air Gaps? 

• Vendor PR managers... 

"It is important to ensure your automation 
network is protected from unauthorized access 
using the strategies suggested in this document 
or isolate the automation network from all other 
networks using an air gap. " 

(Source: SIEMENS-SSA-625789: 
Security Vulnerabilities in Siemens 
SIMATIC S7-1 200 CPU, June 201 1 ) 



© Byres Security inc. 



TO PI NO 



Who Believes in Air Gaps? 

• Security bloggers: 

"I've written about SCADA issues in the past, but 
one issue that I've consistently tried to 
emphasize is that critical control systems should 
never, ever interact nor interconnect with Internet 
systems in any way, shape, or form. There's a 
good reason for this, and it's always been 
referred to as the "Air Gap" Principle.." 

(Source: Paul Ferguson, Internet Security Intelligence 
Advanced Threats Research, Trend Micro, Apr 8, 2012) 
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Who Does NOT Believe in Air 


Gaps? 


• Vendor engineering managers: 




"Forget the myth of the air gap - the control 
system that is completely isolated is history" 

(Source: Stefan Woronka, Siemens Director of Industrial 
Security Services, Siemens Summit , July 201 1) 
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Who Does NOT Believe in Air Gaps? 

• US Government ICS-CERT Reports: 

"ICS-CERT recommends placing all control 
systems assets behind firewalls, separated from 
the business network." 

(Source: Multiple ICS-CERT Advisories) 
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Searching for Air Gaps 
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Looking in Vendor Manuals 
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Let's Look at Stuxnet. 
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Let's Ask the Dept of Homeland Security 

"In our experience in conducting hundreds of 
vulnerability assessments in the private sector, in no 
case have we ever found the operations network, 
the SCAD A system or energy management system 
separated from the enterprise network. 

On average, we see 1 1 direct connections between 
those networks. " 

Source: Sean McGurk, The Subcommittee on National Security, 
Homeland Defense, and Foreign Operations May 25, 2011 hearing . 
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We Found One! 
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The Challenge of Air Gaps 




© Byres Security Inc. 



TO PI NO 



© Byres Security Inc. 



The Good, Bad and the Ugly of Control System Security 



The Control Systems' Hunger for Data 

• New logic from the engineering consultant that 
addresses a design flaw causing downtime 

• Adobe sends you an update for a critical 
vulnerability in the PDF Reader 

• The lab sends a new recipe that will improve quality 

• Patches for computer operating systems 

• Anti-virus signatures and white lists 

• Remote support by system experts 
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Pathways into the Plant Floor 
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Pathways into the Plant Floor 
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It is not a Technology Issue 

• The air gap leads to a false sense of security: 

"None of the vulnerabilities [uncovered at the 
NESCOR summit] pose as great a risk as the 
belief that your system is isolated" 

Chris Blask, CEO, ICS Cybersecurity Inc. 

• Air gaps divert data flow to "sneakernet" channels 

• Companies lack controls to manage information 
over "sneakernet" channels 
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It is Going to Get Worse... 

• "71 % of control engineers expect to see either 
significant or moderate increases in connectivity 
between industrial endpoints and corporate IT 
infrastructure over the next 3-5 years " 



No increase 




Source: Managing Automation Systems: Critical Infrastructure Operators' 
Challenges & Opportunities, Industrial defender, 20 1 1 TO F I N O 



What Does It All Mean? 

• Assuming an air-gap between ICS and corporate 
networks is unrealistic 

• Modern ICS or SCADA systems are highly complex 

• Multiple potential pathways exist from the outside 
world to the process controllers 

• Focusing security efforts on a few obvious pathways 
(such as USB storage drives or the Enterprise/ICS 
firewall) is a flawed defense 
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Real World Security for Control 
Systems 
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Security Solutions Must Fit with Human Nature 

• Is the problem with the air gap a people problem? 

• No - any technology that requires the user to act in 
ways that are counter to human nature is flawed 

• Expecting engineers to act in ways that are counter 
to their job goals is asking for trouble 
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Practical Solutions for ICS/SCADA Security 

• Manage ALL data flows into ICS 

• Manage ALL data flows out of ICS 

• Subdivide ICS systems so that issues don't spread 

• Detect unusual behaviors in ICS systems 

• Progressively reduce the probability of attacker 
success the deeper they go into the system 
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ANSI/ISA-99: Dividing Up The Control System 

• A core concept in the ANSI/ISA-99 (now ISA/IEC 
62443.02.01) security standard is "Zones and 
Conduits" 

• Defines segmentation inside the control system 

• ICS networks divided into layers or zones based on 
control function 

• Multiple separated zones manage that "defense in 
depth" strategy 
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ANSI/ISA-99: Connecting the Zones 

• Connections between the zones are called conduits, 
and these must have security controls to: 

• Control access to zones 

• Resist Denial of Service (DoS) attacks or the transfer of 
malware 

• Shield other network systems 

• Protect the integrity and confidentiality of network traffic 

• It is important to understand and manage all your 
conduits between zones, not just the obvious ones 
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Security Zone Definition 

• "Security zone: grouping of logical or physical assets 

that share common security requirements" 

[ANSI/ISA-99.02.01-2007- 3.2.116] 

• A zone has a clearly defined border (either logical or 
physical), which is the boundary between included and 
excluded elements 
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Conduits 

• A conduit is a path for the flow of data between two 
zones 

• can provide the security functions that allow different zones 
to communicate securely 

• Any communications between zones must have a conduit. 

— Conduit 
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Using Zones: An Example Oil Refinery 
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Specifying the Zones 
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Defining the Conduits 
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Defining the Data Flow Between Zones 
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Protecting with Process and Technology 
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Look At All Possible Pathways 

• Don't focus on a single pathway such as the network 

• Consider all possible infection pathways: 

• Removable Media (CDs, DVDs, USB Drives) 

• File Transfer (Database, PDFs, PLC Project Files) 

• Portable Equipment (Laptops, Storage Units, Config Tools) 

• Internal Network Connections (Business, Lab, QA, Support) 

• External Connections (Support, Contractor, Customer) 

• Wireless (802.1 1 , 802.1 5, Licensed-band, Cellular.etc) 

• Other Interfaces (Serial, Data Highways) 
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Look At All Possible Pathways 

• Have strategies for discovering/mitigating ALL 
pathways 
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Start with Last-line-of-Defense Critical Systems 
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SCADA/ICS-Appropriate Technologies 

• Deploy ICS-appropriate security technologies to 
raise an alarm when equipment is compromised or 
at risk of compromise 

• Look beyond traditional network layer firewalls, 
towards firewalls that are capable of deep packet 
inspection of key SCADA and ICS protocols 
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Some Closing Thoughts... 

• Air gaps are a dangerous illusion 

• ICS/SCADA systems need data to function 

• Improved defense-in-depth strategies for industrial 
control systems are the only realistic solution 

• Start by securing last-line-of-defense critical 
systems, particularly safety integrated systems (SIS) 
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